Hoarding Logs

Archive your security logs in one place with this command-line tool.

By Don Jones

06/01/2006

Ages and ages ago, I wrote a column on Microsoft Audit Collection Server (MACS),
a (then) free tool that would consolidate Security event log events into a central
SQL Server database, using all kinds of cool security techniques to prevent spoofing,
administrator bypassing and other shenanigans. Shortly after the column ran, MACS
dropped off the face of the earth. I suspect Microsoft is retooling it to be a
commercial product, or maybe part of a commercial product like Microsoft Operations
Manager (MOM) or Microsoft System Center or something, but that's pure conjecture.
In the meantime, we're still left without many tools to help manage all the event
logs from all our servers.

While commercial tools exist (Objective
Software's EventMaster or Prism Microsystems'
EventTracker, among others), I was really looking for something with a price
tag of "free." Maybe not as robust as MACS promised to be, but at least something
that could archive my various security logs into a central location for long-term
storage.

Windows Management Instrumentation (WMI) provides pretty decent access to Event Logs, so surely there
was some scriptable way to do what I wanted -- and there was. The result is ArchiveLogs, a command-line tool written in VBScript that grabs logs from one or more computers, saves them to a standard .EVT file, and then clears the log to make room for new events. You need to be a local Administrator on the targeted computers for this to work.

Run the tool with /? to see all the available options; the most common use
will be ArchiveLogs /list:computers.txt /ping /path:C:\Logs.
Or something like that; you'll obviously provide a file name of your own that
contains computer names (computers.txt in my example), and your own path for
the archived logs to be dumped in (C:\Logs in my
example). Figure 1 shows a sample run: Notice that I added the
/verbose switch to generate more detailed output, and note also that
the tool displays an error if it's not able to back up the log (this is generally
due to a lack of security permissions, but it can also be the result of a failure
to connect to WMI, perhaps because of a local firewall configuration). If the
tool can't back up the log, it doesn't try to clear it, thus ensuring you don't
lose anything.

[Click on image for larger view.]

Figure 1. The output from running this month's script with the "verbose" switch.

When it's able to grab a backup, the tool uses the path you specify in the
/path argument. Under that path, it creates one sub-folder for each computer
you target, and names the event log files based on the current date: YYYYMD
(year, month, and day). That'll help you keep everything straight.

The big caveat with this tool is security, security, security: You'll need to have appropriate permissions to back up the log file, and clear it, in order for it to do its job. When in doubt, target it to your local computer first, as a test, and make sure you're a local Administrator. If it works on your local computer, it should work on other computers, provided connectivity exists and permissions are correct.

If you'd like to customize this tool a bit, you can have it grab logs other than the Security event log. Just look for this line, at around line 179 of the file:

Changing the log file name from "Security" to "Application"
or "System" will back up the appropriate log. Those other logs often
have less-strict security requirements too, because they're not considered as
sensitive.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.